Quick MySQLi security question [duplicate]

2019-07-05 14:48发布

问题:

Possible Duplicate:
Do I have to use mysql_real_escape_string if I bind parameters?

I have a quick MySQLi security related question...

For example, take a look at this code (gets input from the user, checks it against the database to see if the username/password combination exist):

$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);

// query db
if ($stmt = $mysqli->prepare("SELECT * FROM members WHERE username=? AND password = ?"))
{
    $stmt->bind_param("ss", $input['user'], md5($input['pass'] . $config['salt']));
    $stmt->execute();
    $stmt->store_result();

    // check if there is a match in the database for the user/password combination
    if ($stmt->num_rows > 0)
    {}
}

In this case, I am using htmlentities() on the form data, and using a MySQLi prepared statement. Do I still need to be using mysql_real_escape_string()?

回答1:

Yes since there are non html related entities that can cause harm to your database that real escape string catches. Like UTF-8 characters.

But as noted here in the comments you are using mysqli prepare and that is enough.

BTW MySQLi has it's own escape string function. if you are interested.



回答2:

No, you do not need to use mysql_real_escape_string if you are binding the parameters using prepared statements. In fact using it will give you the wrong result as the escaped data will be inserted into the database. mysql_real_escape_string is needed when the parameter is written directly into the SQL string without using parameters.